noScriptUrl

import { Tabs, TabItem } from '@astrojs/starlight/components';

<Tabs> <TabItem label="HTML" icon="seti:html"> :::caution This rule is part of the [nursery](/linter/#nursery) group. This means that it is experimental and the behavior can change at any time. ::: ## Summary - Rule available since: `v2.3.9` - Diagnostic Category: [`lint/nursery/noScriptUrl`](/reference/diagnostics#diagnostic-category) - This rule doesn't have a fix. - The default severity of this rule is [**error**](/reference/diagnostics#error). - Sources: - Same as [`no-script-url`](https://eslint.org/docs/latest/rules/no-script-url) - Same as [`react/jsx-no-script-url`](https://github.com/jsx-eslint/eslint-plugin-react/blob/master/docs/rules/jsx-no-script-url.md) - Same as [`qwik/jsx-no-script-url`](https://qwik.dev/docs/advanced/eslint/#jsx-no-script-url) - Same as [`solid/jsx-no-script-url`](https://github.com/solidjs-community/eslint-plugin-solid/blob/main/packages/eslint-plugin-solid/docs/jsx-no-script-url.md) - Same as [`@eslint-react/dom-no-script-url`](https://eslint-react.xyz/docs/rules/dom-no-script-url)

How to configure

json

{
	"linter": {
		"rules": {
			"nursery": {
				"noScriptUrl": "error"
			}
		}
	}
}

Description

Disallow javascript: URLs in HTML.

Using javascript: URLs is considered a form of eval and can be a security risk. These URLs can execute arbitrary JavaScript code, which can lead to cross-site scripting (XSS) vulnerabilities.

Examples

Invalid

html

<a href="javascript:void(0)">Click me</a>

<pre class="language-text"><code class="language-text">code-block.html:1:8 <a href="https://biomejs.dev/linter/rules/no-script-url">lint/nursery/noScriptUrl</a> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✖ Avoid using javascript: URLs, as they can be a security risk. > 1 │ <a href="javascript:void(0)">Click me</a> │ ^^^^^^^^^^^^^^^^^^^^^ 2 │ ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS). ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead. ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit <a href="https://biomejs.dev/linter/#nursery">https://biomejs.dev/linter/#nursery</a> for more information. </code></pre>

html

<a href="javascript:alert('XSS')">Click me</a>

<pre class="language-text"><code class="language-text">code-block.html:1:8 <a href="https://biomejs.dev/linter/rules/no-script-url">lint/nursery/noScriptUrl</a> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✖ Avoid using javascript: URLs, as they can be a security risk. > 1 │ <a href="javascript:alert('XSS')">Click me</a> │ ^^^^^^^^^^^^^^^^^^^^^^^^^^ 2 │ ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS). ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead. ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit <a href="https://biomejs.dev/linter/#nursery">https://biomejs.dev/linter/#nursery</a> for more information. </code></pre>

Valid

html

<a href="https://example.com">Click me</a>
<a href="/path/to/page">Click me</a>
<a href="#section">Click me</a>
<span href="javascript:void(0)">Not a real href</span>

</TabItem> <TabItem label="JavaScript (and super languages)" icon="seti:javascript"> :::caution This rule is part of the [nursery](/linter/#nursery) group. This means that it is experimental and the behavior can change at any time. ::: ## Summary - Rule available since: `v2.3.9` - Diagnostic Category: [`lint/nursery/noScriptUrl`](/reference/diagnostics#diagnostic-category) - This rule doesn't have a fix. - The default severity of this rule is [**error**](/reference/diagnostics#error). - Sources: - Same as [`no-script-url`](https://eslint.org/docs/latest/rules/no-script-url) - Same as [`react/jsx-no-script-url`](https://github.com/jsx-eslint/eslint-plugin-react/blob/master/docs/rules/jsx-no-script-url.md) - Same as [`qwik/jsx-no-script-url`](https://qwik.dev/docs/advanced/eslint/#jsx-no-script-url) - Same as [`solid/jsx-no-script-url`](https://github.com/solidjs-community/eslint-plugin-solid/blob/main/packages/eslint-plugin-solid/docs/jsx-no-script-url.md) - Same as [`@eslint-react/dom-no-script-url`](https://eslint-react.xyz/docs/rules/dom-no-script-url)

How to configure

json

{
	"linter": {
		"rules": {
			"nursery": {
				"noScriptUrl": "error"
			}
		}
	}
}

Description

Disallow javascript: URLs.

Using javascript: URLs is considered a form of eval and can be a security risk. These URLs can execute arbitrary JavaScript code, which can lead to cross-site scripting (XSS) vulnerabilities.

Examples

Invalid

jsx

<a href="javascript:void(0)">Click me</a>

<pre class="language-text"><code class="language-text">code-block.jsx:1:8 <a href="https://biomejs.dev/linter/rules/no-script-url">lint/nursery/noScriptUrl</a> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✖ Avoid using javascript: URLs, as they can be a security risk. > 1 │ <a href="javascript:void(0)">Click me</a> │ ^^^^^^^^^^^^^^^^^^^^^ 2 │ ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS). ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead. ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit <a href="https://biomejs.dev/linter/#nursery">https://biomejs.dev/linter/#nursery</a> for more information. </code></pre>

jsx

<a href="javascript:alert('XSS')">Click me</a>

<pre class="language-text"><code class="language-text">code-block.jsx:1:8 <a href="https://biomejs.dev/linter/rules/no-script-url">lint/nursery/noScriptUrl</a> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✖ Avoid using javascript: URLs, as they can be a security risk. > 1 │ <a href="javascript:alert('XSS')">Click me</a> │ ^^^^^^^^^^^^^^^^^^^^^^^^^^ 2 │ ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS). ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead. ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit <a href="https://biomejs.dev/linter/#nursery">https://biomejs.dev/linter/#nursery</a> for more information. </code></pre>

React.createElement('a', { href: 'javascript:void(0)' });

<pre class="language-text"><code class="language-text">code-block.js:1:34 <a href="https://biomejs.dev/linter/rules/no-script-url">lint/nursery/noScriptUrl</a> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✖ Avoid using javascript: URLs, as they can be a security risk. > 1 │ React.createElement('a', { href: 'javascript:void(0)' }); │ ^^^^^^^^^^^^^^^^^^^^ 2 │ ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS). ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead. ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit <a href="https://biomejs.dev/linter/#nursery">https://biomejs.dev/linter/#nursery</a> for more information. </code></pre>

Valid

jsx

<a href="https://example.com">Click me</a>

jsx

<a href="/path/to/page">Click me</a>

jsx

<a href="#section">Click me</a>

</TabItem> </Tabs>

How to configure

Description

Examples

Invalid

Valid

Related links

How to configure

Description

Examples

Invalid

Valid

Related links